General

  • Target

    73ddd6e74eb0a2d177bb0c9f9d525b09_JaffaCakes118

  • Size

    161KB

  • Sample

    240526-bjpa8shh96

  • MD5

    73ddd6e74eb0a2d177bb0c9f9d525b09

  • SHA1

    d5240129005fb54008a225e39da2c2f936213ba2

  • SHA256

    cd7a3f4504a25bac05758f4d05cfbd0cdaec4db40bc0b2619f66bdc949d36999

  • SHA512

    bed618e5e74357048667c708b1bbc4201b97becb2911f9aba9c92c99e1ab8654964b42b2fa2059d97a4a4233074a48d3c181dcd89727261d351797a1126a7082

  • SSDEEP

    3072:ZsTLZhs0uDI0rAfOXl+y+uql/GOtsrVrqhTqndtndhndKndw:2TLFuD6fOXlql/GLJrqqndtndhndKndw

Malware Config

Extracted

Family

pony

C2

http://butterchoco.net/admin/bull/gate.php

Targets

    • Target

      73ddd6e74eb0a2d177bb0c9f9d525b09_JaffaCakes118

    • Size

      161KB

    • MD5

      73ddd6e74eb0a2d177bb0c9f9d525b09

    • SHA1

      d5240129005fb54008a225e39da2c2f936213ba2

    • SHA256

      cd7a3f4504a25bac05758f4d05cfbd0cdaec4db40bc0b2619f66bdc949d36999

    • SHA512

      bed618e5e74357048667c708b1bbc4201b97becb2911f9aba9c92c99e1ab8654964b42b2fa2059d97a4a4233074a48d3c181dcd89727261d351797a1126a7082

    • SSDEEP

      3072:ZsTLZhs0uDI0rAfOXl+y+uql/GOtsrVrqhTqndtndhndKndw:2TLFuD6fOXlql/GLJrqqndtndhndKndw

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

3
T1005

Email Collection

2
T1114

Tasks